Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Mousejack Attacks Abuse Vulnerable Wireless Keyboard, Mouse Dongles

Bastille Networks today disclosed the Mousejack attacks, vulnerabilities in wireless keyboards and mice that can be abused to inject keystrokes or mouseclicks onto computers.

Wireless keyboards and mice are the latest peripherals to put enterprise networks and user data at risk.

Researchers at Bastille Networks today said that non-Bluetooth devices from seven manufacturers including Logitech, Dell and Lenovo are vulnerable to so-called Mousejack attacks that would allow a hacker within 100 meters to abuse this attack vector and install malware or use that machine as pivot point onto the network.

Logitech said that it has developed a firmware update, which is available for download. It is the only one among the affected vendors to respond so for with a patch.

“Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any consumer with such an issue,” Asif Ahsan, Senior Director, Engineering, Logitech. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated. … They should also ensure their Logitech Options software is up to date.”

The issue lies in the wireless USB dongles that the keyboards and mice use to communicate over radio frequencies with the host computer. Bastille says that while communication from most keyboards to the dongle is encrypted, none of the mice it tested encrypt their wireless communication. The dongle, therefore, will accept commands from an attacker in close physical proximity the same way it would from the user.

The attacker can, therefore, transmit malicious packets that generate keystrokes rather than mouse clicks, so long as the victim’s computer is turned on, Bastille said.

“Depending on the speed of the attack and how closely the victim is paying attention, it can happen pretty quickly,” said researcher Marc Newlin, who said that an attack could simulate 1,000 words-per-minute typing and install a rootkit in 10 seconds, or eight milliseconds-per-keystroke.

Bastille founder Chris Rouland said that an attacker could exploit the vulnerability with a $15 USB dongle and 15 lines of Python code against any Windows, Mac or Linux machine and gain full control.

“At this point, they can inject malware, or compromise an air-gapped network by turning on Wi-Fi on the target,” Rouland said. “We have been working with the vendors for more than 90 days. More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”

Attackers can inject keystrokes by spoofing either a mouse or keyboard; vulnerable dongles, for example, will not verify that the packet received matches the device that transmitted it. An attacker can impersonate the mouse but transmit keypress-packets, Bastille said, that will be accepted by the dongle. Most of the keyboards, meanwhile, encrypt data before sending it to the dongle over RF, but Bastille said that not all of the dongles it tested require encryption. The attacker can spoof the keyboard and send unencrypted packets to the dongle that allow the attacker to type commands on the host computer.

Bastille said that an attacker could also force a new device to pair with an old dongle for the same type of access.

“An attacker doesn’t need to know any information about the target victim outside of the OS running,” Newlin said. “It’s straightforward to use the dongle and python code to discover devices and learn whether they’re vulnerable.”

Rouland said that nation-state attackers, for example, could use this attack vector to get on a network and pivot.

“This could have a huge impact at scale,” Rouland said. “You could get into any corporation this way, no matter which machine. And there’s no way to detect these attacks.”

Two weeks ago at the Kaspersky Lab Security Analyst Summit, Rouland gave a presentation about vulnerabilities in the wireless spectrum and how the Internet of Things provides attackers with a spectrum of attack vectors three times as large as traditional attacks.

Discussion

Firmware updating my Logitech wireless trackball M570 doesn't actually work. Downloaded latest Unifying software, yet it completely fails to show the firmware version.
I would have thought such a relatively 'modern' device would have been included in the mentioned firmware update.

Unfortunately, while logitech says they've developed an update, it doesn't seem to be actually downloadable. Both my Mac and PC's Unify software says I have the vulnerable version and that they are up to date.

To admins: it is not possible to post from Safari, Firefox, Chrome or Opera on Mac (latest versions). The captcha hides the reply and other information. When selecting text in this reply form, Command C to copy unselects it. Frustrating!
In relation to the article... Nothing like physical wired connections, whenever possible.

The updated firmware, and instructions for installing it, are at https://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878
Also, admins, I couldn't post from IE or Chrome on Windows for same reason TheX mentioned. I had to make the captcha box invisible using a web debugger in order to expose the POST COMMENT button.

You can still access the post through wayback machine:
https://web.archive.org/web/20160305225833/https://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878?nobounce

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.